Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-41258 -- CVSS 9.1 Vulnerability Briefing

CVE-2026-41258 | CVSS 9.1 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-41258 is a code injection vulnerability in OpenMRS Core, an open source electronic medical record platform, affecting the ConceptReferenceRangeUtility.evaluateCriteria() method in versions 2.7.0 through 2.7.8 and versions prior to 2.8.6.

Technical Detail

The vulnerability exists in the evaluateCriteria() method, which evaluates database expressions without adequate sanitization or restriction of user-controlled input, consistent with a server-side expression injection or unsafe deserialization pattern. An attacker who can supply crafted input to this method may be able to execute arbitrary code or queries in the context of the application or its underlying database. The full impact scope, including whether unauthenticated access to the vulnerable method is possible, has not been fully confirmed in available public disclosure, but the CVSS score of 9.1 indicates high impact to confidentiality and integrity with low or no required privileges.

Exploitation Status

No known exploit exists for this vulnerability at this time. It is not listed in the CISA Known Exploited Vulnerabilities catalog. There is no public proof-of-concept code confirmed as of May 22, 2026. Organizations should not treat the absence of a known exploit as a reason to delay patching, given the critical severity rating and the sensitive nature of the affected platform.

Who Is Targeting This

No specific threat actor attribution at this time. However, healthcare and medical records platforms are a consistent target for ransomware operators and data theft actors due to the high value of protected health information. Organizations running OpenMRS in clinical or research environments should treat this as an elevated-priority exposure regardless of current attribution gaps.

What To Do

Upgrade OpenMRS Core to version 2.7.9 or 2.8.6 or later immediately. If an immediate upgrade is not operationally feasible, restrict network access to the OpenMRS application to trusted internal hosts and authenticated users only, and audit any interfaces that expose the concept reference range evaluation functionality to external or lower-privileged users. Monitor application logs for anomalous query patterns or unexpected method invocations against the ConceptReferenceRangeUtility class. Given the critical CVSS score and the sensitivity of medical record data, patching should be treated as high priority and completed within the shortest feasible maintenance window.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →